improve synapse

2026-02-08 12:37:17 +01:00 · 2026-02-08 12:37:17 +01:00 · 0b041cc949
commit 0b041cc949
parent 4c9e01e754
5 changed files with 53 additions and 39 deletions
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@ -5,9 +5,10 @@
    ../common.nix
    ../../services/openssh.nix
    ../../services/nginx.nix
+    ./nginx.nix
+    ./synapse.nix
+    ./draupnir.nix
    ../../services/postgres.nix
-    ../../services/synapse.nix
-    ../../services/draupnir.nix
    ../../services/prometheus.nix
    ../../services/grafana.nix
  ];
--- a/hosts/matrix/draupnir.nix
+++ b/hosts/matrix/draupnir.nix
--- a/hosts/matrix/nginx.nix
+++ b/hosts/matrix/nginx.nix
@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."matrix.berlin.ccc.de" = {
+    default = true;
+    quic = true;
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+      "/".return = "418 \"🫖\"";
+      "~ ^(/_matrix|/_synapse/client)" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://[::1]:8008";
+        extraConfig = ''
+          client_max_body_size 64M;
+          proxy_set_header X-Request-ID $request_id;
+          proxy_http_version 1.1;
+        '';
+      };
+    };
+  };
+}
--- a/hosts/matrix/synapse.nix
+++ b/hosts/matrix/synapse.nix
@ -4,6 +4,11 @@ let
  domain = "berlin.ccc.de";
 in
 {
+  networking.firewall.extraInputRules = ''
+    ip saddr 195.160.173.14 tcp dport 9009 accept
+    ip6 saddr 2001:678:760:cccb::14 tcp dport 9009 accept
+  '';
+
  services = {
    matrix-synapse = {
      enable = true;
@ -42,7 +47,7 @@ in
            type = "metrics";
            tls = false;
            port = 9009;
-            bind_addresses = [ "::1" ];
+            bind_addresses = ["::" "0.0.0.0"];
            resources = [
              {
                compress = false;
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,44 +1,28 @@
 { config, pkgs, ... }:

-let
-  fqdn = "matrix.berlin.ccc.de";
-in
 {
  users.users.nginx.extraGroups = [ "acme" ];

-  services.nginx = {
-    enable = true;
-    resolver.addresses = [
-      "[2606:4700:4700::1111]"
-      "[2620:fe::fe]"
-      "1.1.1.1"
-      "9.9.9.9"
-    ];
-    statusPage = true; # http://127.0.0.1/nginx_status
-    sslProtocols = "TLSv1.3";
-    recommendedTlsSettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-    virtualHosts."${fqdn}" = {
-      default = true;
-      quic = true;
-      kTLS = true;
-      forceSSL = true;
-      enableACME = true;
-      locations = {
-        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
-        "/".return = "418 \"🫖\"";
-        "~ ^(/_matrix|/_synapse/client)" = {
-          recommendedProxySettings = true;
-          proxyPass = "http://[::1]:8008";
-          extraConfig = ''
-            client_max_body_size 64M;
-            proxy_set_header X-Request-ID $request_id;
-            proxy_http_version 1.1;
-          '';
-        };
-      };
+  services = {
+    nginx = {
+      enable = true;
+      resolver.addresses = [
+        "[2606:4700:4700::1111]"
+        "[2620:fe::fe]"
+        "1.1.1.1"
+        "9.9.9.9"
+      ];
+      statusPage = true; # http://127.0.0.1/nginx_status
+      sslProtocols = "TLSv1.3";
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+    };
+    prometheus.exporters.nginx = {
+      enable = true;
+      firewallRules = config.services.prometheus.exporters.node.firewallRules;
+      openFirewall = true;
    };
  };
 }